from 0 to secure in 1 minute - securing laas - nir valtman
TRANSCRIPT
FROM 0 TO SECURE IN 1 MINUTENIR VALTMAN
About me
I am working in as the <HEAD> Application Security </HEAD>
, except at
Neither of my previous startups succeeded!
1st time speaking publicly
But at least I invented few open source tools.
Mmmm… OH, AND
Cloud security challenges and benefitsAnd more specifically, using IaaS automation and orchestration features for increasing the security
Dashboard Billing API
Orchestration
Hypervisor Controller Abstraction
PhysicalServers Network Storage
About the talk
About the talk
Cloud Attack Vectors
Provider administration
Management console
Multi tenancy &
virtualization
Automation & API
Chain of supply
Side channel attack
Insecure instances
Anatomy of a cloud hack
Anatomy of a cloud hack – BrowserStack’s Story
Shell shock vulnerability on unused server
Found API key on the hacked server
Opened a firewall rule
and launched an instance using the API key
Attached a backup
volume to the instance
Found database credentials on backup device
Connected to DB
SOURCE: https://www.browserstack.com/attack-‐and-‐downtime-‐on-‐9-‐November
Do we have the right tools?
SOURCE: http://ifail.info/wp-‐content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9
Secure SDLC
Secure SDLC
Dynamic/Interactive application security testing (DAST/IAST)
Secure Infrastructure?
Secure Infrastructure?
Static code analysis
Software composition analysis
Secure Infrastructure?
The existing security tools for DevOps
Signing and Obfuscation
Check out code and Build Unit testing Quality control
Deployment to test
environment
Fetch latest builds
Integration testing
Packaging and archiving
Fetch release ready builds
Deployment to pre-‐prod
environment
Acceptance testing
Deployment to production
Micro-‐Services Architecture
DEV OPS
ContinuousDelivery
1 hour
10 min
1 min
Architecture & deployments are changing
The billing cycles are being reduced
Google slashes cloud platform price again
Microsoftwill offer Azure by the minute to
take on Amazon’s cloud
Microsoft follows Google with by-‐the-‐minute cloud
blending
AUTO SCALING
The challenge
How to do security when servers alive for 10 minutes?
Patch management Maintenance windows
Periodic vulnerability scanning
Hardening
DON’T LET SECURITY TO HOLD YOU DOWN
Introducing
Launch Configure and harden Scan Move to
Production
SOURCE: https://github.com/valtmanir/Cloudefigo
Based on the work made by Rich Mogull from Securosishttps://github.com/rmogull/PragmaticNetSecManagement
Cloudefigo’s lifecycle
Server launch1Server loads security
configuration
Server encrypts disk volumes
Server scanned for vulnerabilities
Server moves to production
S3
2
3
4
5
Components
Object Storage
Vulnerability Scanner Cloud-‐Init
Configuration Management IAM Roles Volume
Encryption
Instance’s lifecycle
Launch
Update
Control
Scan
Production
Terminate
LAUNCH
Prepare
Cloudinit
ü Each instance manages its own attributes§ Encryption keys § Remediation vs. production groups
ü Management of these attributes requires permissions
ü Permissions during launch > production
ü Thus, a dynamic IAM role is required
LAUNCH
Prepare
Cloudinit
LAUNCH
Prepare
Cloudinit
ü Executed in root permissions when image is launching.
ü Responsible for building the infrastructure for the following steps.
LAUNCH
Prepare
Cloudinit
LAUNCH
Prepare
Cloudinit
UPDATE
OS update
Pre-‐requisites
Any risks?
ü CloudInit to update & upgrade software packages
ü The primary goal is to make sure the cloud instance is secure once upgraded
Need to make sure the pre-‐prod/test/CI environments include the recent operating system
updates as well!
UPDATE
OS update
Pre-‐requisites
ü CloudInit to install the software packages required to operate: § Python + pip + wheel§ AWS SDK (Boto)§ Chef Client + Chef SDK (PyChef)
ü Download configurations and scripts from S3:§ Cloudefigo script§ Chef client initialization files
ü Cloudinit to create and attach a volume for application files and data.
CONTROL
Chef Registration
Encrypt
ü The Chef clients register to the Chef Management server using the initialization files loaded from S3.
ü Once the client is registered, a policy is loaded and enforced on the instance.
CONTROL
Chef Registration
Encrypt
Where should you keep your keys?
Cloud Provider On Premise 3rd Party
Protected Snapshots and backups
Snapshots, backups,subpoena and malicious insiders
Snapshots, backups and cloud provider’s malicious insiders
Vulnerable Maliciousinsider attacksand subpoena
Key exchange attacks
Key exchange attacks and subpoena (partial)
CONTROL
Chef Registration
Encrypt
ü The volume to be encrypted using randomly generated key.§ The key is kept in S3 for later use.
ü The application database to be installed in the encrypted volume.
Instance 1
Instance 2
Instance 3
Bucket 2f3g
Bucket 5dw4
Bucket 8H7g
Key ID 5dw4
Key ID 8H7g
Key ID 2f3g
Key 1#Fd3
Key vFS3=
Key Bs$a
CONTROL
Chef Registration
Encrypt
ü Dynamic S3 policy: access to the encryption key requires a referrer header that is generated based on attributes from the instance.
CONTROL
Chef Registration
Encrypt
CONTROL
Chef Registration
Encrypt
SCAN
Automatic Scan
Analyze
ü A vulnerability scan to be launched automatically by the CloudInit script.
ü The deeper the scan, the longer it takes to move the instance to production.
SCAN
AutomaticScan
Analyze
ü The results of the scan are analyzed by the Cloudefigo script.
ü Based on successful scan results – the instance to move to production or remain in the remediation group.
ü The lowest security risk severity can be defined.
SCAN
AutomaticScan
Analyze
SCAN
AutomaticScan
Analyze
PRODUCTION
Least privileged role
Manage
ü Reminder: Permissions in launch > production
ü IAM role permissions reduced dynamically -‐contains read only access
PRODUCTION
Least privileged role
Manage
ü For the ongoing operations – compensating controls are required.
ü Cloudefigomanagement script lists cloud instances and validates they are managed by Chef
ü Cloudefigo will set alert when someone will try to use access keys.
PRODUCTION
Least privileged role
Manage
Building the CloudWatch alarm
PRODUCTION
Least privileged role
Manage
PRODUCTION
Least privileged role
Manage
PRODUCTION
Least privileged role
Manage
TERMINATE
Instance
EncryptionKeys
ü The life cycle ends once a server is terminated along with:§ Attached volumes§ IAM role
TERMINATE
Instance
EncryptionKeys
ü The instance data still exists in backups/snapshots or provider storage
ü Encryption keys to be deleted with instance in order to make sure the backup data remains inaccessible (not implemented in this version)
Wrapping Up
The new software architecture and applications delivery in cloud module disrupts traditional correctives controls
We need to adopt new thinking to automate security
Think how security automation can help you in moving your infrastructure forward. Faster.
Questions
Nir Valtman@: nir.valtman (at) ncr.com w: www.ncr.com | www.valtman.orgin: www.linkedin.com/in/valtmanirt: @ValtmaNir
Did I mention that I’m HIRING? Building the A-‐TEAM!